Data Protection Academy » Data Protection News » Anonymisation of Internet data often not secure

anonymisation

Anonymisation of Internet data often not secure

In an interview with the German Press Agency, Ulrich Kelber (Federal Data Protection Commissioner) calls for more reliability and clarity with regard to anonymised Internet data. Often it is only pseudonymised data. This is not real protection. We explain the difference.

Background information on anonymization

The consent of processing personal data such as name or address is not required for anonymised data according to the European General Data Protection Regulation. According to recital 26 of the GDPR, anonymised data is personal data (e.g. date of birth, name, address) that can no longer be assigned to a specific person as a result of changes made. In short: anonymised data no longer allows the identification of a person.

What is the problem

In an interview with the Deutsche Presse Agentur, the Federal Data Protection Commissioner referred to a specific case: it was often unclear whether the use of data to be consented to was actually anonymised. For example, if users were asked when making online purchases whether they agreed to anonymised use of data for market research purposes. At the same time, Kelber admitted that there is currently still a lack of legal guidelines. Companies or data subjects would often not be able to assess the situation properly. Often, supposedly anonymized data are merely pseudonymised.

External Data Protection Officer

You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.

Discover DSB services

Anonymisation / Pseudonymisation: what is the difference?

Anonymised data is information that cannot be related to an identified or identifiable natural person (Recital 26, GDPR). Anonymisation therefore means that a person is no longer identifiable. We have elaborated on the following further questions in our data protection wiki: When is data really anonymous? How can I anonymise data? Learn more about anonymised data in the wiki.

pseudonymisation is the processing of personal data in the sense that personal data can no longer be attributed to a specific person without the need for additional information. Learn more about pseudonymised data in the wiki.

The most important difference between anonymisation and pseudonymisation is that pseudonymised data can be assigned to a natural person, provided that further information is available. This is not possible with anonymised data. Anonymised data is therefore much more secure in terms of data protection.

Ulrich Kelber to the Deutsche Presse Agentur:

"If data were truly anonymised, there would be no need for consent to anonymous use, because then it would no longer be personal data."

Source: Data protection officer Ulrich Kelber to dpa (trade journal)

Do you have specific questions about data protection or would you like professional advice? Our data protection experts are there for you throughout Germany! Come to us!

Book demo
Prof. Dr. Andre Döring
Latest posts by Prof. Dr. Andre Döring (see all)

This might interest you too:

Erasure concept according to the GDPR

Samples, templates and examples for your GDPR erasure concept according to DIN 66398. Automatically create the erasure concept.
Read more

Personal data

What are personal data in data protection? What must be observed when processing in accordance with GDPR?
Read more

Data protection supervisory authority

Tasks, powers and responsibilities of data protection supervisory authorities. In Europe and in Germany per federal state
Read more